df73b74159ae2e68c68fff5bde3855cb4eba0c33fc8a3a1e59daedb5a820b875

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 18:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3b7f4e25a0cb707b27fa16593b702140_JaffaCakes118.exe
Size

56KB
MD5

3b7f4e25a0cb707b27fa16593b702140
SHA1

68421dadab83d22d850deda562a2c3e06bcb4268
SHA256

df73b74159ae2e68c68fff5bde3855cb4eba0c33fc8a3a1e59daedb5a820b875
SHA512

61ee3919afea21db049386cc0a132a1740457de33d1d47e8b543577d4012ac2242db473d5c9ecae6aee875a0f56861a2903146fa8088917fb38312e4bb66ee19
SSDEEP

768:uEaz5G7MaEtbwQpeyjaSLyfOPT4xcsrRA9Xu/IC4X3i2AH350azknSRXJuRWQlhA:v4GYUWeypTUuuQj635cSRU3iN/ntNL

Score

7^/10

discovery persistence

Malware Config

Signatures

Drops startup file 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	3b7f4e25a0cb707b27fa16593b702140_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TA_Start.lnk	dwdsrngt.exe

Executes dropped EXE 64 IoCs

pid	Process
2284	dwdsrngt.exe
3700	dwdsrngt.exe
1500	dwdsrngt.exe
2888	dwdsrngt.exe
3868	dwdsrngt.exe
2640	dwdsrngt.exe
2476	dwdsrngt.exe
1724	dwdsrngt.exe
1884	dwdsrngt.exe
3504	dwdsrngt.exe
2984	dwdsrngt.exe
3760	dwdsrngt.exe
4808	dwdsrngt.exe
1816	dwdsrngt.exe
2060	dwdsrngt.exe
1044	dwdsrngt.exe
3196	dwdsrngt.exe
2828	dwdsrngt.exe
1424	dwdsrngt.exe
1600	dwdsrngt.exe
3372	dwdsrngt.exe
1292	dwdsrngt.exe
2688	dwdsrngt.exe
4288	dwdsrngt.exe
4940	dwdsrngt.exe
4956	dwdsrngt.exe
2560	dwdsrngt.exe
3660	dwdsrngt.exe
2112	dwdsrngt.exe
4700	dwdsrngt.exe
4204	dwdsrngt.exe
748	dwdsrngt.exe
4692	dwdsrngt.exe
1640	dwdsrngt.exe
1236	dwdsrngt.exe
2504	dwdsrngt.exe
4896	dwdsrngt.exe
2368	dwdsrngt.exe
2040	dwdsrngt.exe
4380	dwdsrngt.exe
2148	dwdsrngt.exe
2264	dwdsrngt.exe
5100	dwdsrngt.exe
644	dwdsrngt.exe
2784	dwdsrngt.exe
1856	dwdsrngt.exe
3580	dwdsrngt.exe
2216	dwdsrngt.exe
1372	dwdsrngt.exe
2872	dwdsrngt.exe
4420	dwdsrngt.exe
3620	dwdsrngt.exe
4068	dwdsrngt.exe
4696	dwdsrngt.exe
4060	dwdsrngt.exe
1460	dwdsrngt.exe
4556	dwdsrngt.exe
4260	dwdsrngt.exe
4368	dwdsrngt.exe
740	dwdsrngt.exe
5072	dwdsrngt.exe
3616	dwdsrngt.exe
4448	dwdsrngt.exe
1388	dwdsrngt.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\{29-9E-EA-A4-ZN} = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3b7f4e25a0cb707b27fa16593b702140_JaffaCakes118.exe CHD001"	3b7f4e25a0cb707b27fa16593b702140_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\{29-9E-EA-A4-ZN} = "c:\\windows\\SysWOW64\\dwdsrngt.exe CHD001"	dwdsrngt.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe
File opened for modification	C:\Windows\SysWOW64\dbglogfolder\n_inst_12_10_24.log	dwdsrngt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b7f4e25a0cb707b27fa16593b702140_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwdsrngt.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	3b7f4e25a0cb707b27fa16593b702140_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	dwdsrngt.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
448	3b7f4e25a0cb707b27fa16593b702140_JaffaCakes118.exe
448	3b7f4e25a0cb707b27fa16593b702140_JaffaCakes118.exe
2284	dwdsrngt.exe
2284	dwdsrngt.exe
3700	dwdsrngt.exe
3700	dwdsrngt.exe
1500	dwdsrngt.exe
1500	dwdsrngt.exe
2888	dwdsrngt.exe
2888	dwdsrngt.exe
3868	dwdsrngt.exe
3868	dwdsrngt.exe
2640	dwdsrngt.exe
2640	dwdsrngt.exe
2476	dwdsrngt.exe
2476	dwdsrngt.exe
1724	dwdsrngt.exe
1724	dwdsrngt.exe
1884	dwdsrngt.exe
1884	dwdsrngt.exe
3504	dwdsrngt.exe
3504	dwdsrngt.exe
2984	dwdsrngt.exe
2984	dwdsrngt.exe
3760	dwdsrngt.exe
3760	dwdsrngt.exe
4808	dwdsrngt.exe
4808	dwdsrngt.exe
1816	dwdsrngt.exe
1816	dwdsrngt.exe
2060	dwdsrngt.exe
2060	dwdsrngt.exe
1044	dwdsrngt.exe
1044	dwdsrngt.exe
3196	dwdsrngt.exe
3196	dwdsrngt.exe
2828	dwdsrngt.exe
2828	dwdsrngt.exe
1424	dwdsrngt.exe
1424	dwdsrngt.exe
1600	dwdsrngt.exe
1600	dwdsrngt.exe
3372	dwdsrngt.exe
3372	dwdsrngt.exe
1292	dwdsrngt.exe
1292	dwdsrngt.exe
2688	dwdsrngt.exe
2688	dwdsrngt.exe
4288	dwdsrngt.exe
4288	dwdsrngt.exe
4940	dwdsrngt.exe
4940	dwdsrngt.exe
4956	dwdsrngt.exe
4956	dwdsrngt.exe
2560	dwdsrngt.exe
2560	dwdsrngt.exe
3660	dwdsrngt.exe
3660	dwdsrngt.exe
2112	dwdsrngt.exe
2112	dwdsrngt.exe
4700	dwdsrngt.exe
4700	dwdsrngt.exe
4204	dwdsrngt.exe
4204	dwdsrngt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 2284	448	3b7f4e25a0cb707b27fa16593b702140_JaffaCakes118.exe	86
PID 448 wrote to memory of 2284	448	3b7f4e25a0cb707b27fa16593b702140_JaffaCakes118.exe	86
PID 448 wrote to memory of 2284	448	3b7f4e25a0cb707b27fa16593b702140_JaffaCakes118.exe	86
PID 2284 wrote to memory of 3700	2284	dwdsrngt.exe	87
PID 2284 wrote to memory of 3700	2284	dwdsrngt.exe	87
PID 2284 wrote to memory of 3700	2284	dwdsrngt.exe	87
PID 3700 wrote to memory of 1500	3700	dwdsrngt.exe	88
PID 3700 wrote to memory of 1500	3700	dwdsrngt.exe	88
PID 3700 wrote to memory of 1500	3700	dwdsrngt.exe	88
PID 1500 wrote to memory of 2888	1500	dwdsrngt.exe	89
PID 1500 wrote to memory of 2888	1500	dwdsrngt.exe	89
PID 1500 wrote to memory of 2888	1500	dwdsrngt.exe	89
PID 2888 wrote to memory of 3868	2888	dwdsrngt.exe	90
PID 2888 wrote to memory of 3868	2888	dwdsrngt.exe	90
PID 2888 wrote to memory of 3868	2888	dwdsrngt.exe	90
PID 3868 wrote to memory of 2640	3868	dwdsrngt.exe	91
PID 3868 wrote to memory of 2640	3868	dwdsrngt.exe	91
PID 3868 wrote to memory of 2640	3868	dwdsrngt.exe	91
PID 2640 wrote to memory of 2476	2640	dwdsrngt.exe	92
PID 2640 wrote to memory of 2476	2640	dwdsrngt.exe	92
PID 2640 wrote to memory of 2476	2640	dwdsrngt.exe	92
PID 2476 wrote to memory of 1724	2476	dwdsrngt.exe	93
PID 2476 wrote to memory of 1724	2476	dwdsrngt.exe	93
PID 2476 wrote to memory of 1724	2476	dwdsrngt.exe	93
PID 1724 wrote to memory of 1884	1724	dwdsrngt.exe	94
PID 1724 wrote to memory of 1884	1724	dwdsrngt.exe	94
PID 1724 wrote to memory of 1884	1724	dwdsrngt.exe	94
PID 1884 wrote to memory of 3504	1884	dwdsrngt.exe	95
PID 1884 wrote to memory of 3504	1884	dwdsrngt.exe	95
PID 1884 wrote to memory of 3504	1884	dwdsrngt.exe	95
PID 3504 wrote to memory of 2984	3504	dwdsrngt.exe	96
PID 3504 wrote to memory of 2984	3504	dwdsrngt.exe	96
PID 3504 wrote to memory of 2984	3504	dwdsrngt.exe	96
PID 2984 wrote to memory of 3760	2984	dwdsrngt.exe	97
PID 2984 wrote to memory of 3760	2984	dwdsrngt.exe	97
PID 2984 wrote to memory of 3760	2984	dwdsrngt.exe	97
PID 3760 wrote to memory of 4808	3760	dwdsrngt.exe	98
PID 3760 wrote to memory of 4808	3760	dwdsrngt.exe	98
PID 3760 wrote to memory of 4808	3760	dwdsrngt.exe	98
PID 4808 wrote to memory of 1816	4808	dwdsrngt.exe	99
PID 4808 wrote to memory of 1816	4808	dwdsrngt.exe	99
PID 4808 wrote to memory of 1816	4808	dwdsrngt.exe	99
PID 1816 wrote to memory of 2060	1816	dwdsrngt.exe	100
PID 1816 wrote to memory of 2060	1816	dwdsrngt.exe	100
PID 1816 wrote to memory of 2060	1816	dwdsrngt.exe	100
PID 2060 wrote to memory of 1044	2060	dwdsrngt.exe	101
PID 2060 wrote to memory of 1044	2060	dwdsrngt.exe	101
PID 2060 wrote to memory of 1044	2060	dwdsrngt.exe	101
PID 1044 wrote to memory of 3196	1044	dwdsrngt.exe	102
PID 1044 wrote to memory of 3196	1044	dwdsrngt.exe	102
PID 1044 wrote to memory of 3196	1044	dwdsrngt.exe	102
PID 3196 wrote to memory of 2828	3196	dwdsrngt.exe	103
PID 3196 wrote to memory of 2828	3196	dwdsrngt.exe	103
PID 3196 wrote to memory of 2828	3196	dwdsrngt.exe	103
PID 2828 wrote to memory of 1424	2828	dwdsrngt.exe	104
PID 2828 wrote to memory of 1424	2828	dwdsrngt.exe	104
PID 2828 wrote to memory of 1424	2828	dwdsrngt.exe	104
PID 1424 wrote to memory of 1600	1424	dwdsrngt.exe	105
PID 1424 wrote to memory of 1600	1424	dwdsrngt.exe	105
PID 1424 wrote to memory of 1600	1424	dwdsrngt.exe	105
PID 1600 wrote to memory of 3372	1600	dwdsrngt.exe	106
PID 1600 wrote to memory of 3372	1600	dwdsrngt.exe	106
PID 1600 wrote to memory of 3372	1600	dwdsrngt.exe	106
PID 3372 wrote to memory of 1292	3372	dwdsrngt.exe	107

C:\Users\Admin\AppData\Local\Temp\3b7f4e25a0cb707b27fa16593b702140_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b7f4e25a0cb707b27fa16593b702140_JaffaCakes118.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:448
- \??\c:\windows\SysWOW64\dwdsrngt.exe
  c:\windows\system32\dwdsrngt.exe CHD001
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2284
- - \??\c:\windows\SysWOW64\dwdsrngt.exe
    c:\windows\system32\dwdsrngt.exe CHD001
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3700
  - - \??\c:\windows\SysWOW64\dwdsrngt.exe
      c:\windows\system32\dwdsrngt.exe CHD001
      4⤵
      Drops startup file
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1500
    - - \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        5⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        10⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        11⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        13⤵
        Drops startup file
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        14⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        15⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        17⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        18⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        19⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        23⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1292
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2688
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4288
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        26⤵
        Drops startup file
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4940
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        27⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4956
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        28⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2560
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        29⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:3660
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        30⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2112
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        31⤵
        Drops startup file
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4700
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4204
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:748
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        34⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4692
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1640
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        36⤵
        Executes dropped EXE
        
        PID:1236
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        37⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2368
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        41⤵
        Drops startup file
        Executes dropped EXE
        Modifies registry class
        
        PID:4380
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2148
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2264
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        45⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:644
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2784
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        47⤵
        Drops startup file
        Executes dropped EXE
        
        PID:1856
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3580
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        49⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1372
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        51⤵
        Executes dropped EXE
        
        PID:2872
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3620
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        54⤵
        Drops startup file
        Executes dropped EXE
        Modifies registry class
        
        PID:4068
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4696
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4060
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        57⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1460
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4556
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        59⤵
        Drops startup file
        Executes dropped EXE
        Modifies registry class
        
        PID:4260
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4368
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:740
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5072
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        63⤵
        Executes dropped EXE
        
        PID:3616
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        64⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4448
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1388
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        66⤵
        Drops file in System32 directory
        
        PID:1252
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        67⤵
        Modifies registry class
        
        PID:2896
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        68⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4956
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4412
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4588
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        73⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        74⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:3364
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        75⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4216
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        76⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        77⤵
        Drops file in System32 directory
        
        PID:1164
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        78⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        79⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        80⤵
        Drops startup file
        
        PID:4128
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        81⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1280
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        83⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        85⤵
        Drops startup file
        Modifies registry class
        
        PID:2040
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4100
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1496
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        88⤵
        Drops startup file
        
        PID:4988
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        89⤵
        
        PID:2888
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        91⤵
        Drops startup file
        
        PID:3868
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        92⤵
        Modifies registry class
        
        PID:3628
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        94⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:548
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        95⤵
        Modifies registry class
        
        PID:4844
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3244
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3488
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        98⤵
        Drops startup file
        Modifies registry class
        
        PID:4992
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        100⤵
        Drops file in System32 directory
        
        PID:556
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        101⤵
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        
        PID:1188
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        103⤵
        
        PID:3000
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        104⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        105⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        106⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4840
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        108⤵
        Drops file in System32 directory
        
        PID:2980
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        109⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5028
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        110⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4824
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        111⤵
        Modifies registry class
        
        PID:4460
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3960
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        115⤵
        Drops startup file
        Modifies registry class
        
        PID:1184
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        116⤵
        Drops startup file
        
        PID:3452
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        117⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1388
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        118⤵
        
        PID:4228
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        119⤵
        Drops startup file
        Drops file in System32 directory
        Modifies registry class
        
        PID:3924
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        120⤵
        Drops startup file
        Modifies registry class
        
        PID:1976
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        121⤵
        Drops startup file
        Modifies registry class
        
        PID:4292
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        122⤵
        Drops startup file
        Drops file in System32 directory
        
        PID:4628
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        123⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        124⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1268
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        125⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3364
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        127⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        128⤵
        Drops file in System32 directory
        
        PID:1908
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        129⤵
        Drops startup file
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3328
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        130⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        131⤵
        Drops startup file
        
        PID:1164
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        132⤵
        Drops startup file
        Modifies registry class
        
        PID:4116
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        133⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        134⤵
        
        PID:336
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        135⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1348
        
        \??\c:\windows\SysWOW64\dwdsrngt.exe
        
        c:\windows\system32\dwdsrngt.exe CHD001
        136⤵
        
        PID:3152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\msnav32.ax

Filesize
17B

MD5
b9b738b5d5b92889336547a6c22d3991

SHA1
55e7ec0184ac63a182d8973d68a7294d493b75e4

SHA256
c327e7bb193088f8afc07ff624422abc3cf7f06bed33b62ba08b443bf306d69f

SHA512
5a2879f1aeb783e1b1895cc7a7fc3f752c6a6173581f71062c0c145bf78e560de848294111a1f1ae79e92e96e604ec455af0e69d073a74e9827dcd0fd5489af7

Download Submit
\??\c:\windows\SysWOW64\dwdsrngt.exe

Filesize
56KB

MD5
20bf9878615da1e26d4ab58f87703604

SHA1
7d7f311a7e8a3c67e4a6804d7b00ed00dd14cb0e

SHA256
ecf72bad604e9245d8c9637b622519e710eea2353f9c63190ee9fcf0ba2a9992

SHA512
60165f5a2eb5e32dbdb9c961269fe07ab0a9c5c343720396d9794f54251ffbade2f87091d956a9e19942075975dfc2b61c0b612702e93cda12f577a7a2ff6788

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads